Published by the Internet Law Center

Menu

9th Circuit Weighs in on CFAA and CAN-SPAM

9th Circuit Weighs in on
CFAA and CAN-SPAM

The Computer Fraud and Abuse Act (“CFAA”) provides civil and criminal penalties against come who “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information from any protected computer.” 18 U.S.C.§ 1030(a)(2). Courts have struggled over what is the role of public website terms and conditions as it pertains to an “unauthorized access”.

MySpace Mom Decision

In United States v. Drew, Case No. 08-CR-582 (C.D. Ca 2009), Central District Judge Wu reversed the conviction of the infamous “My Space Mom” whose actions led to the suicide death of Meghan Meier. Judge Wu explained, in part, that

by utilizing violations of the terms of service as the basis for the section 1030(a)(2)(C) crime, that approach makes the website owner – in essence – the party who ultimately defines the criminal conduct.

Nosal Password Decision

The 9th Circuit has issued two illuminating opinions under the CFAA this month. In U.S. v Nosal ,Case No. 14-10037 (9th Cir. July 5, 2016), the court affirmed the CFAA conviction of a former employee after he used the password of an existing employee to gain access.

Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company’s internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators, which is covered by the plain language of the statute. Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA’s prohibition on access “without authorization,” and thus we affirm Nosal’s conviction for violations of § 1030(a)(4) of the CFAA. T

Facebook CFAA Judgment Upheld

In Facebook, Inc. v. Power Ventures d/b/a Power.com, Case No. No. 13-17102 (9th Cir. July 12, 2016) (decision at bottom of post), the court addressed the now-defunct Power Ventures’ campaign to attract Facebook users that would cause Facebook users who clicked on the promotion to send messages through the Facebook system. In affirming the judgment against Power Ventures, the court looked to its Nosal opinion.

From those cases, we distill two general rules in analyzing authorization under the CFAA. First, a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability. Second, a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.

The court noted that Power Ventures initial use of Facebook to send messages via its users was arguably authorized since it was triggered by the Facebook user. Once Facebook found out about the promotion, however, it sent Power Ventures a cease and desist letter informing them this violated their terms of use and (i) demanded that Power Ventures stop this campaign and (ii) imposed blocks on Power Ventures IP address to stop them.

Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute.

Facebook CAN-SPAM Award Reversed

The Power Ventures court, however, reversed a multi-million dollar award in favor of Facebook under the CAN-SPAM Act. The Court found that using the Facebook system to send emails and internal messages to user did not trigger liability under the federal spam law. First, by triggering the Facebook emails, the emails indicated that they were coming from Facebook and this was permitted under CAN-SPAM since Facebook was the initiator of the message.

In terms of the internal Facebook messages, the Ninth Circuit found no violation.

We can find these messages misleading only if they impaired the ability of the recipient to “respond to a person who initiated the electronic mail message” or the ability of Facebook to locate the initiator of the messages. Id. § 7704(a)(6). Two factors convince us that the messages are not misleading under this standard. First, the body of the messages included both Power’s name and a link to the Power website. A reasonable recipient could understand that Power had drafted the message or had some part in its construction. Second, Facebook users who were identified as the senders did authorize the sending of these messages. It was not misleading for such users to be identified in internal messages sent through the Facebook system.

Note 1: In CouponCabin, the court denied a motion to dismiss a CFAA claim finding that

that CFAA liability may exist in certain situations where a party’s authorization to access electronic data—including publicly accessible electronic data—has been affirmatively rescinded or revoked. By alleging that the Defendants knowingly and intentionally circumvented the Plaintiff’s security measures after the Plaintiff blocked access from certain cloud computing/internet service providers and communicated with the Defendants by demanding that they cease and desist scraping-related activities, the Plaintiff has pled enough facts to survive dismissal.